Enable Amazon GuardDuty for Your AWS Account

Enabling a threat detection service like Amazon GuardDuty that continuously monitors, analyzes, and processes AWS data sources and logs in your AWS environment is very helpful from a security standpoint.

The question is do you have it enabled for your AWS Account?

In this short write-up, I will guide you through enabling Amazon GuardDuty for your AWS Account. However, let me briefly highlight some features and capabilities of Amazon GuardDuty.

Features and Capabilities of Amazon GuardDuty

The features and capabilities of Amazon GuardDuty are categorized into the following:

1. Threat Detection - Amazon GuardDuty can detect malware in Amazon EC2 instances, unauthorized access, and anomalous behavior by learning from your baseline traffic patterns, GuardDuty can detect deviations that may indicate malicious activity.
2. Data Sources - GuardDuty has the capability of analyzing VPC Flow Logs to detect suspicious activity like port scanning, unusual data exfiltration, or anomalous traffic to or from your VPCs. GuardDuty can also collect AWS CloudTrail Logs which inspects API calls and management events to identify unusual patterns, like unauthorized users trying to escalate privileges or suspicious changes in IAM policies. DNS Logs are not left as GuardDuty monitors DNS requests made within your AWS environment to detect connections to domains associated with malware, data exfiltration, or command and control servers.
3. Integrated Threat Intelligence - GuardDuty integrates threat intelligence from AWS, including information about known malicious IP addresses, URLs, and domains, allowing it to flag threats that are already recognized.
4. Automated Response - Using AWS Lambda, you can automate the response to GuardDuty findings, such as isolating compromised instances, revoking compromised credentials, or triggering alerts to your security team.
5. Multi-Account Support - GuardDuty can be deployed across multiple AWS accounts and regions. This centralized management allows for consistent threat detection policies and consolidated findings across your organization, making it easier to manage security at scale.
6. Cost-Efficiency - GuardDuty pricing is based on the volume of logs analyzed, which makes it cost-effective as you only pay for what you use. It automatically scales to handle varying amounts of log data depending on your workload.
7. Security Integration - GuardDuty integrates seamlessly with other AWS security services like AWS Security Hub, AWS IAM Access Analyzer, and AWS Config, enhancing your overall security posture with a unified view and easier management.

For more information on Amazon GuardDuty, click here to go to the documentation page.

Enabling Amazon GuardDuty for your AWS Environment

You can enable GuardDuty directly from the AWS Management Console or using AWS CLI - Command-line Interface as the case may be.

I want to show you how to enable it from Console. To do this, search for and click on Amazon GuardDuty and click on Get Started.

From the above screenshot, the Amazon GuardDuty welcome page displays, click on Enable GuardDuty to enable it.

Enable Amazon GuardDuty as shown below:

It will take a few minutes for the task to complete. Once, it is complete you will see the green flag flying above the Amazon GuardDuty page informing you that "You've successfully enabled GuardDuty.

The GuardDuty summary page is currently empty as GuardDuty will populate the findings for me once it finds potential threats in my AWS environment.

Note that Amazon GuardDuty, once enabled for your AWS Account will run for 30 days free. For more details about GuardDuty pricing, see this page.

Amazon GuardDuty Protection Plans

There are Six Protection Plans with the Amazon GuardDuty Runtime Monitoring plan recently as the new findings types.

Take a moment to go through each of the protection plans.

You will notice that only the EKS Protection plan is not enabled by default. You can manually allow the EKS Protection plan based on your requirements.

Organizations with multiple AWS Accounts can add other AWS Accounts to monitor by invitation.

Alternatively, you can enable Amazon GuardDuty, list Detectors to get Detector ID, Update Detector Settings and disable GuardDuty by running the below AWS CLI commands:

# Enable GuardDuty
aws guardduty create-detector --enable

# List Detectors to get Detector ID
aws guardduty list-detectors

# Update Detector Settings (if needed)
aws guardduty update-detector --detector-id <detector-id> --finding-publishing-frequency SIX_HOURS

# Disable GuardDuty (if needed)
aws guardduty delete-detector --detector-id <detector-id>